Is Stuxnet Dead?

A Look at Cyber Security and Industrial Control Systems

In July 2010, the computer worm known as Stuxnet was used to cripple centrifuges at a uranium enrichment facility in Iran, shedding new light on the vulnerabilities of industrial control systems (ICS). Dubbed a “super cyber weapon,” Stuxnet was the first malware to specifically target an industrial process, opening up a range of questions about the security of critical processes such as water filtration, chemical processing, and power generation & distribution systems.

“Whether it’s a flowmeter or a temperature [gauge], this threat got very far into the control systems of the real world,” Gerry Egan, a security response director at Symantec, was quoted as saying in a September 2010 NPR news report on the Iran cyber attack. “This attack was not about stealing information. This attack was about physically doing things, [like] turning a dial, reading a sensor.”

The Siemens PCS7, S7 Programmable Logic Controller (PLC) was the target of the 2010 Stuxnet worm attack. In the wake of Stuxnet, Siemens and other vendors have launched aggressive product development initiatives to introduce hardware and software solutions that can help prevent cyber attacks in the future.

Stuxnet was designed to attack Siemens PCS7, S7 PLC and WinCC systems around the world. And while it would seem to serve as a wake-up call for industrial facilities, the reaction to the potential threat and impact of this sophisticated malware was somewhat muted in many cases. According to a survey by McAfee and the Center for Strategic International Studies (CSIS), of 200 critical infrastructure executives in 14 countries, only 57 percent had performed special security audits after Stuxnet. Only 32 percent of U.S. respondents said they performed an audit. However, 40 percent of those that did a security audit, found Stuxnet in their systems.

Who Is at Risk? Flow control comes into play in many industrial sectors that could be targeted or impacted by a cyber attack. According to Joel Langill, cyber-security specialist, trainer and founder of SCADAhacker.com, cyber security is important to any party who (1) has equipment that provides data to automation systems, (2) depends on open-standards communication protocols and computing platforms, or (3) is involved with equipment that could directly or indirectly result in the shutdown or disruption of physical processes such as oil & gas pipelines, water & wastewater systems, and transportation & distribution facilities. “Cyber threats are all around us, and one of the most dangerous threat vectors is from someone who has trusted access to the core of the automation systems and is capable of carrying malware that he/she is unaware of,” Langill says. “Since our infrastructure is so closely integrated, disruptions in what could be perceived as a non critical sector, could have downstream or upstream effects on more critical components.”

Is Stuxnet Dead? In the fast-moving world of cyberspace, some experts say Stuxnet is no longer itself a threat as much as the legacy it has left behind — a roadmap for cyber war. “Stuxnet may be over, as it contained many internal timers that caused it to cease operation on various dates,” Langill says. “However, what is far from over is the fact that Stuxnet provided a blueprint of how malware can successfully penetrate even well-designed automation system architectures. The recent Duqu worm proved this point, showing that many of the same cyber-attack vectors used by Stuxnet in mid-2010 could still be used effectively in late 2011.” Duqu was discovered in October 2011. Its intention is not to alter any functioning of industrial automation systems, like Stuxnet, but rather to collect sensitive information and send it to a remote server. Langill says unless companies begin to approach security in a different manner than they have in the past, the vectors used by Stuxnet will be very effective for some time to come. “It is also important to realize that various components of the Stuxnet worm have been made available in source code format, making it easy for potential attackers to modify the code for a particular target,” he says.

Authors of Vacon’s White Paper On Industrial Automation Security In Fieldbus And Field Device Level (December 2011) suggest that although the maturity of malware and the rate of occurrence in the industrial automation sector are still quite low, attacks may become more frequent and severe in the future. Potential scenarios cited include “vandalism or sabotaging of industrial plants, municipal services, or critical infrastructure just for fun (by everyday hackers) or possibly the hijacking and/or blackmailing of entire plants.”

Two examples of what “every-day hackers” could do occurred in November 2011. First, hackers were originally believed to have obtained access to the control system of a water utility in Illinois and destroyed a pump used to pipe water to thousands of homes. When it was officially disclosed by the U.S. Department of Homeland Security’s ICS-CERT organization that these attacks did not represent any real threat to the systems controlling critical infrastructure, another hacker, said to be outraged by this statement, hacked a U.S. water utility. This second attack did not cause any physical damage, but it did successfully expose the internal control systems for a wastewater treatment plant in South Houston, Texas. Although Stuxnet wasn’t the culprit, these isolated incidences perhaps raise important questions about actions to prevent future cyber attacks of this nature.

After Stuxnet Langill says it can be difficult to pinpoint exactly what has been done to protect vital infrastructure, since the sectors that utilize industrial automation and control systems are so broad. “One thing is for sure, we have not done enough. But this is not to say that nothing has been done,” he says. “Vendors, like Siemens, learned from Stuxnet and have launched aggressive product development initiatives to introduce hardware and software solutions that can help prevent similar attacks in the future.” Entities like ISA Security Compliance Institute and Wurldtech are also working to help develop standards for certifying equipment that provide a certain level of cyber security protection, Langill says.? The ISA SP99 committee, on which Langill serves as a voting member, is also actively working to ratify and release several new standards aimed at addressing cyber security within manufacturing sectors. Langill is currently on a work group within ISA99 as well, which is specifically evaluating the ISA99 standards and how they would have stood up against an attack like Stuxnet. ‘Think Like a Hacker’ One of the biggest misconceptions about cyber war or cyber security is not if there will be an attack, but when. “The threat surface is so vast that no one enterprise is exempt,” Langill says. Therefore, it is important to look at security from a broad perspective, installing not only cyber “prevention” measures, but also implement measures that can “detect” an attack once it occurs.

Because of the massive investment in legacy equipment that is already installed and in operation across most industrial sectors, Langill says “companies should go ‘back to the basics’ and begin by assessing their current control systems, identifying gaps that could lead to the exploitation of vulnerabilities, and then implement a strategy to correct the deficiencies through various security controls that can provide a form of defense-in-depth offering multiple protective layers much like the cliché beltand-suspenders.”

If industrial facilities are to begin to defend their automation systems from future cyber attacks, they will need to do things differently than they have done in the past, Langill says. “Companies need to begin to ‘think like a hacker’ and address security from this direction, looking at ways to actively monitor their control systems and detect abnormalities that could be the precursor to a cyber attack.”